Defer signer() reads until after tryDecodeAuth success in SignerWebAuthn

[GarmashAlex]

• Avoid premature SLOADs by decoding WebAuthn first and only reading the P256 public key if decoding succeeds.
• Eliminates two unnecessary storage reads on the fallback path to raw P256 validation
• Aligns with existing patterns in SignerECDSA and ERC7913WebAuthnVerifier where decoding/recovery precedes storage access.

[changeset-bot]

⚠️ No Changeset found

Latest commit: b4957d0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The _rawSignatureValidation function in SignerWebAuthn.sol is refactored to defer the signer() call. Previously, signer() was always invoked before decoding. The new implementation first checks decodeSuccess. If true, it calls signer() to obtain (qx, qy) coordinates and performs WebAuthn.verify. If false, it directly delegates to the parent class _rawSignatureValidation method. The public API surface and function signature remain unchanged; only internal control flow timing is altered.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main performance optimization: deferring signer() reads until after successful decoding, which is the core change in the PR.
Description check	✅ Passed	The description is directly related to the changeset, explaining the optimization rationale, the specific benefit of avoiding SLOADs, and alignment with existing patterns.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eb97fd3 and b4957d0.

📒 Files selected for processing (1)

• contracts/utils/cryptography/signers/SignerWebAuthn.sol (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: ernestognw
Repo: OpenZeppelin/openzeppelin-contracts PR: 5891
File: test/account/modules/ERC7579Module.behavior.js:56-61
Timestamp: 2025-10-15T02:52:05.027Z
Learning: In ERC7579 validator tests for `isValidSignatureWithSender`, using `this.mock` (not bound to a specific account) is valid when testing signature validation with any arbitrary sender, while `this.mockFromAccount` is used when testing account-specific validation scenarios.

📚 Learning: 2025-10-15T02:52:05.027Z

Learnt from: ernestognw
Repo: OpenZeppelin/openzeppelin-contracts PR: 5891
File: test/account/modules/ERC7579Module.behavior.js:56-61
Timestamp: 2025-10-15T02:52:05.027Z
Learning: In ERC7579 validator tests for `isValidSignatureWithSender`, using `this.mock` (not bound to a specific account) is valid when testing signature validation with any arbitrary sender, while `this.mockFromAccount` is used when testing account-specific validation scenarios.

Applied to files:

• contracts/utils/cryptography/signers/SignerWebAuthn.sol

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: Redirect rules - solidity-contracts
• GitHub Check: Header rules - solidity-contracts
• GitHub Check: Pages changed - solidity-contracts
• GitHub Check: slither
• GitHub Check: coverage
• GitHub Check: tests-upgradeable
• GitHub Check: tests-foundry
• GitHub Check: tests
• GitHub Check: halmos

🔇 Additional comments (1)

contracts/utils/cryptography/signers/SignerWebAuthn.sol (1)

44-49: LGTM! Excellent performance optimization.

Deferring the signer() call until after successful WebAuthn decode is a solid optimization that avoids two unnecessary SLOADs (for qx and qy coordinates) when the signature cannot be decoded as a WebAuthn assertion. The logic is correct and maintains behavioral equivalence with the previous implementation while improving gas efficiency on the fallback path.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}